Elizabeth W
20 lines
1.3 KiB
Markdown
20 lines
1.3 KiB
Markdown
# Implementation Plan: Policy Enforcement
|
|
|
|
## Objective
|
|
Implement the final task that parses the aggregated results and decides whether to Pass or Fail the Argo Workflow based on the `fail-on-cvss` input threshold.
|
|
|
|
## Requirements
|
|
- Define a task template named `enforce-policy`.
|
|
- Depend on the completion of the upload tasks (Phase 3 Steps 1 & 2).
|
|
- Mount the shared PVC at `/workspace`.
|
|
- Read the input parameter `fail-on-cvss` (e.g., `7.0`).
|
|
- Run a script (Python, jq, etc.) to parse all the reports in `/workspace/reports/`.
|
|
- If any vulnerability is found with a CVSS score >= the threshold, print an error summary and exit with a non-zero code (causing the Argo Workflow to fail).
|
|
- If no vulnerabilities exceed the threshold, print a success summary and exit with 0.
|
|
|
|
## Agent Instructions
|
|
1. Add the `enforce-policy` template to the `ClusterWorkflowTemplate`.
|
|
2. Write the parsing logic inside the task (e.g., extracting CVSS scores from SARIF and JSON formats).
|
|
3. Ensure this step acts as the final gatekeeper for the pipeline.
|
|
4. **CRITICAL: File Splitting:** Do NOT put everything into one giant file! Split your YAML manifests or configurations into separate, smaller files (e.g. using separate Helm template files, configmaps, or helper scripts) to prevent exhausting the context window.
|